User-managed access (UMA) enables consumer consent for digital ID
17 November, 2015
category: Corporate, Digital ID, Financial, Government
By Eve Maler, Forge Rock and Joni Brennan, Kantara Imitative
Existing notice-and-consent paradigms of privacy have begun to fail dramatically, and as recent consumer surveys and press reports have demonstrated, people have begun to (ahem) notice. The discipline of privacy engineering aspires to be a craft, but finds it hard to break out of the compliance rut.
Enter User-Managed Access (UMA). UMA is an industry standard developed by the Kantara Initiative through an open community process. Through industry expert input and implementation, UMA is now a Version 1.0 Kantara Initiative Recommendation – the highest form of recognition possible in the organization.
How UMA works
UMA-enabled online services give individuals a unified control point for authorizing who and what can get access to their online personal data – such as email addresses, phone numbers, content such as photos, and services, for example Twitter and electronic health records – no matter where those resources live online.
UMA is built on top of OAuth V2.0 and OpenID Connect. These are the technologies that enable the “Do you want to allow your identity data to be shared from Facebook, or Twitter, with this app?” consent dialog boxes seen on many websites and mobile applications.
The Identity Engineering Task Force standardized OAuth 2 in 2012, and the OpenID Foundation approved the OpenID Connect spec two-years later. To these groups, UMA adds two essential elements that change the privacy game: asynchronous consent and centralized consent management. Together, the three standards form a powerful triad of lightweight, enabling technologies that are solving modern identity and access challenges.
Why connected devices need user-managed accessAn appliance that was previously “dumb,” like a refrigerator, can now have sensors and be network addressable.
When a user buys a smart refrigerator they are likely to sign up for a number of features including:
Multi-zone temperature settings to keep beer icy cold and lettuce just cool enough
Stock management to lock specific drawers and scan groceries to help users maintain dynamic grocery lists
Alerts that let users know if the eggs have gone bad or if they are out of that icy cold beer
Cameras to check in real time if a user has milk
It’s also likely that those same users are subject to features they did not sign up for such as:
Customer insights and profiles detailing which brands the user prefers
Usage patterns that could identify if a user is a heavy drinker
Probability that a user will buy a certain product
Or even being part of a botnet attack – recently a refrigerator was used to send 750,000 spam messages
UMA provides a comprehensive, yet simple, open-standard approach to address these issues over a broad and growing set of use cases.
UMA in a connected world of people, services and now devices
Digital identity has evolved from a world of perimeter-based, enterprise-focused authentication and authorization to a borderless environment where users leverage online personas to access an ever-growing number of resources and services. Resources are no longer merely software-based and virtual, either. Increasingly these resources include Internet-connected devices that deal in sensitive personal data.
This new world includes an ever-growing array of devices from computing and mobile to wearables, home automation and beyond. These new data generation points increase the need for individuals to have control over elements of their online identity. UMA is ideally situated to serve this rising need of personal privacy protection.
CIOs must tackle the “Four P’s” of this newly connected world:
- Potential – The IoT connected world presents a significant opportunity for connection between people, entities and things. To realize this potential, while minimizing risks, CIOs will need to have a clear understanding of developing technology, services and policy.
- Patterns – Adoption of IoT devices has a side effect in that it reveals interesting data patterns that can be helpful for users, businesses, and governments. Unfortunately, these patterns can also be helpful for criminals. Think of products like Google’s Nest or the Belkin WeMo that contain settings for use. When usage is reviewed over time, a pattern could reveal when a person is home and when they are on vacation.
- Privacy – Pervasive collection and use of data with out transparency, accountability and user engagement can be very concerning. Users may feel they are not being respected and could feel “creeped out” about using new technology. Businesses and governments may not know how to protect data appropriately.
- People – People who use sensor-enabled apps and devices are generating the data that is seen as the fuel for generating opportunities and risks associated with IoT adoption.
Use Cases for a connected world
There are numerous benefits to UMA adoption across digital environments.
The technology provides flexibility in binding a user to a device and to a corresponding cloud service account. This is essential in the modern world of SaaS architecture, dispersed web services and looming IoT.
Additionally, centralization of controls makes UMA user-friendly for consumers. Users can specify what to share across apps and devices they actually use as well as with third parties. Finally, UMA provides a degree of future proofing if protections need to be outsourced to another body due to regulatory or other market changes.
The User Managed Access Working Group has published detailed use cases addressing personal data sharing management for scenarios including: health care, personal, finance, media, citizen, academia and more. Solving a critical emerging technology scenario, UMA provides approaches for authorization and management of data resources that will be critical for enabling user engagement in an IoT connected world.